CN112417489A

CN112417489A - Digital signature generation method and device and server

Info

Publication number: CN112417489A
Application number: CN202011407003.9A
Authority: CN
Inventors: 邓燚; 宋旭阳; 马顺利; 张心轩; 汪海龙; 谢翔
Original assignee: Juzix Technology Shenzhen Co ltd; Institute of Information Engineering of CAS
Current assignee: Juzix Technology Shenzhen Co ltd; Institute of Information Engineering of CAS
Priority date: 2020-12-04
Filing date: 2020-12-04
Publication date: 2021-02-26
Anticipated expiration: 2040-12-04
Also published as: CN112417489B

Abstract

The specification provides a method, a device and a server for generating a digital signature. Based on the method, when the plurality of node servers carry out joint signature, any one of the plurality of node servers participating in the joint signature as a first node server can generate a first random number, a second random number and a first temporary private key firstly; and performing data interaction and verification for multiple times with other node servers by using the data according to a preset protocol rule integrating an ElGamal encryption algorithm and a class group encryption algorithm to generate a first part signature and a second part signature in a target digital signature of the target information in multiple times, so that a complete target digital signature related to the target information can be obtained. Therefore, the multi-threshold combined signature can be efficiently and safely realized on the premise of not revealing private key data held by each node server.

Description

Digital signature generation method and device and server

Technical Field

The present disclosure relates to the field of digital signatures, and in particular, to a method, an apparatus, and a server for generating a digital signature.

Background

With the development of the internet, in many application scenarios (for example, electronic security processing scenarios based on block chains, etc.), processing of related information often involves multiple participants, and more than a threshold number of participants are required to collaboratively participate to enable joint signature of the information; meanwhile, in the above joint signature process of multi-party participation, it is also required to protect the data security of each party and avoid disclosure of private key data held by the party to other parties.

At present, a method for efficiently and safely implementing multi-party threshold combined signature without revealing private key data of each node server is needed.

Disclosure of Invention

The specification provides a method, a device and a server for generating a digital signature, so that a multi-threshold combined signature can be efficiently and safely realized on the premise of not revealing private key data held by each node server.

The present specification provides a method for generating a digital signature, the method being applied to a first node server among a plurality of node servers, the method including:

responding to the joint signature request, and generating a first random number, a second random number and a first temporary private key; wherein the joint signature request carries at least target information to be signed;

encrypting the first random number by using the second random number and the first public key according to a preset protocol rule to obtain first ciphertext data; generating a first temporary commitment file about the first temporary public key using the first temporary private key; generating a first certification file about the first ciphertext data and the first temporary commitment file; the preset protocol rule is obtained according to an ElGamal encryption algorithm and a class group encryption algorithm;

broadcasting a first data group containing the first ciphertext data, a first temporary commitment file and a first certification file to the outside; receiving a first data group broadcast by other node servers;

according to a preset protocol rule and the first data group broadcast by the other node servers, respectively carrying out preset first data interaction with each node server in the other node servers to obtain second intermediate data and third intermediate data;

according to a preset protocol rule and the third intermediate data, performing preset second data interaction with other node servers to generate a first part signature in a target digital signature of target information;

according to a preset protocol rule, a first random number, target information, second intermediate data and a first partial signature, performing preset third data interaction with other node servers to generate a second partial signature in a target digital signature of the target information;

and generating a target digital signature of the target information according to the first partial signature and the second partial signature.

In one embodiment, the obtaining second intermediate data and third intermediate data by performing preset first data interaction with each node server in the other node servers respectively according to a preset protocol rule and the first data group broadcast by the other node servers includes:

generating and sending corresponding first-class parameter data, second ciphertext data and third ciphertext data to each node server in the other node servers according to a preset protocol rule and the first data group broadcast by the other node servers; receiving first class parameter data, second ciphertext data and third ciphertext data which are generated and sent by the other node servers and correspond to the first node server;

decrypting the received second ciphertext data and the third ciphertext data to obtain second type parameter data and third type parameter data respectively corresponding to other node servers;

according to a preset protocol rule, performing first verification by using a first random number, a threshold fragmentation public key of other node servers, and second type parameter data and third type parameter data corresponding to the other node servers;

under the condition that the first verification is determined to pass, generating first intermediate data and second intermediate data of the first node server by using the first random number, the first temporary private key, and second type parameter data and third type parameter data corresponding to other node servers;

broadcasting the first intermediate data externally; receiving first intermediate data broadcast by other node servers;

and generating third intermediate data according to the first intermediate data of the first node server and the first intermediate data broadcast by other node servers.

In one embodiment, generating and sending corresponding first-class parameter data, second ciphertext data and third ciphertext data to each node server in the other node servers according to a preset protocol rule and a first data group broadcast by the other node servers includes:

according to a preset protocol rule, generating and sending corresponding first-class parameter data, second ciphertext data and third ciphertext data to a current node server in the other node servers according to the following modes:

generating a third random number and a fourth random number aiming at the current node server, and generating first type parameter data corresponding to the current node server according to the fourth random number;

according to a preset protocol rule and the first data group broadcast by the other node servers, the first ciphertext data broadcast by the current node server are utilized, and homomorphic encryption processing is carried out to obtain second ciphertext data and third ciphertext data corresponding to the current node server;

and sending a second data group at least comprising the first type of parameter data, the second ciphertext data and the third ciphertext data corresponding to the current node server.

In one embodiment, generating a first partial signature in a target digital signature of target information by performing a preset second data interaction with other node servers according to a preset protocol rule and the third intermediate data includes:

opening a first temporary commitment file according to a preset protocol rule so that other node servers obtain a first temporary public key of a first node server;

generating and broadcasting externally a first temporary certification document about the first temporary public key;

acquiring a first temporary public key of other node servers and a first temporary certification file broadcast by the other node servers;

performing second verification according to the first temporary public key of the other node server and the first temporary certification file broadcast by the other node server;

and under the condition that the second verification is determined to pass, generating a first part signature in the target digital signature of the target information according to a preset protocol rule, the third intermediate data and the first temporary public key of the other node server.

In one embodiment, generating a first partial signature in a target digital signature of target information according to a preset protocol rule, the third intermediate data, and the first temporary public key of the other node server includes:

calculating first target data according to a preset protocol rule, the third intermediate data and the first temporary public key of the other node server;

and determining the abscissa value of the first target data as the first partial signature.

In one embodiment, calculating the first target data according to a preset protocol rule, the third intermediate data, and the first temporary public key of the other node server includes:

calculating the first target data according to the following equation:

R＝δ^-1(∑_j∈SΓ_j)

where R is the first target data, δ is the third intermediate data, Γ_jThe first temporary public key of the node server with the number j is the number of the node server, and S is the set of the node servers participating in the joint signature.

In one embodiment, generating a second partial signature in the target digital signature of the target information by performing preset third data interaction with other node servers according to a preset protocol rule, the first random number, the target information, the second intermediate data and the first partial signature comprises:

constructing component data of a second signature of the first node server according to the first random number, the target information, the second intermediate data and the first partial signature;

constructing first and second intermediate data by using the component data of the second signature and the first partial signature according to a preset protocol rule;

generating and broadcasting externally a first intermediation commitment file about the first intermediation data and the second intermediation data;

under the condition that the first intermediary commitment file broadcasted by the other node server is determined to be received, the first intermediary commitment file is opened so that the other node server can obtain the first intermediary data and the second intermediary data of the first node server;

generating and broadcasting externally a first intermediation certificate concerning the first intermediation data and the second intermediation data;

acquiring first intermediary data and second intermediary data of other node servers and first intermediary certification documents broadcast by the other node servers;

performing third verification according to the first and second intermediary data of the other node servers and the first intermediary certificate broadcasted by the other node servers;

broadcasting component data of a second signature of the first node server to the outside in case that the third verification is determined to pass; receiving component data of a second signature broadcast by other node servers;

and generating a second partial signature in the target digital signature of the target information according to the component data of the second signature of the first node server and the component data of the second signature broadcast by other node servers.

In one embodiment, after determining that the third verification passes, the method further comprises:

constructing third intermediary data and fourth intermediary data by using the component data of the second signature, the first partial signature, the signature public key, the first intermediary data and the second intermediary data according to a preset protocol rule;

generating and broadcasting externally a second broker commitment file regarding the third broker data and fourth broker data;

under the condition that the second intermediary commitment file broadcasted by other node servers is determined to be received, the second intermediary commitment file is opened so that the other node servers can obtain third intermediary data and fourth intermediary data of the first node server;

acquiring third intermediary data and fourth intermediary data of other node servers;

performing fourth verification according to the third intermediary data and the fourth intermediary data of the other node servers and the third intermediary data and the fourth intermediary data of the first node server;

accordingly, the method can be used for solving the problems that,

broadcasting component data of a second signature of the first node server to the outside in case that the fourth verification is determined to pass; and receives component data of the second signature broadcast by the other node servers.

In one embodiment, constructing the component data of the second signature of the first node server based on the first random number, the target information, the second intermediate data, and the first partial signature comprises:

and constructing component data of a second signature of the first node server according to the following formula:

s_i＝k_im+σ_ir

wherein s is_iComponent data of a second signature of the first node server, i is the number of the first node server, k_iIs the first random number of the first node server, m is the target information, σ_iAnd r is a first partial signature for second intermediate data of the first node server.

In one embodiment, generating the first random number, the second random number, and the first ephemeral private key in response to the joint signature request includes:

responding to the joint signature request, and generating and broadcasting confirmation information to the outside under the condition of determining to participate in the joint signature;

receiving confirmation information broadcast by other node servers;

counting the number of node servers broadcasting the acknowledgement information;

and under the condition that the number of the node servers broadcasting the confirmation information is larger than a preset threshold value, generating a first random number, a second random number and a first temporary private key.

In one embodiment, prior to generating the first random number, the second random number, and the first ephemeral private key in response to the joint signature request, the method further comprises:

generating a first public key, a first private key, a first partial signature private key and a first partial signature public key according to a preset protocol rule;

generating and broadcasting a third data set containing a first part commitment file and a first public key related to the first part signature public key;

under the condition that the third data group broadcasted by other node servers is determined to be received, opening a first part commitment file so that the other node servers obtain a first part signature public key of the first node server;

acquiring and performing fifth verification according to the first part of signature public keys of other node servers;

and under the condition that the fifth verification is determined to pass, generating a threshold fragment private key and a threshold fragment public key of the first node server according to a preset protocol rule, a preset threshold value and the first part of signature public key, and broadcasting the threshold fragment public key to the outside.

In one embodiment, the first public key comprises: public key data based on an ElGamal encryption algorithm and public key data based on a class group encryption algorithm; the first private key comprises: private key data based on the ElGamal encryption algorithm and private key data based on the class group encryption algorithm.

In one embodiment, the generating a threshold fragmentation private key and a threshold fragmentation public key of a first node server according to a preset protocol rule, a preset threshold value and a first part of signature public key includes:

constructing a target polynomial with the times being a preset threshold value according to a preset protocol rule;

interacting with other node servers according to the target polynomial to acquire threshold parameters of the other node servers aiming at the first node server;

generating a threshold fragmentation private key of the first node server according to threshold parameters of other node servers aiming at the first node server;

and generating a threshold sharding public key of the first node server according to the threshold sharding private key of the first node server.

The present specification also provides an apparatus for generating a digital signature, including:

the first generation module is used for responding to the joint signature request and generating a first random number, a second random number and a first temporary private key; wherein the joint signature request carries at least target information to be signed;

the first processing module is used for encrypting the first random number by using the second random number and the first public key according to a preset protocol rule to obtain first ciphertext data; generating a first temporary commitment file about the first temporary public key using the first temporary private key; generating a first certification file about the first ciphertext data and the first temporary commitment file; the preset protocol rule is obtained according to an ElGamal encryption algorithm and a class group encryption algorithm;

the broadcast module is used for broadcasting a first data group containing the first ciphertext data, a first temporary commitment file and a first certification file to the outside; receiving a first data group broadcast by other node servers;

the second processing module is used for performing preset first data interaction with each node server in other node servers respectively according to a preset protocol rule and the first data group broadcast by the other node servers to obtain second intermediate data and third intermediate data;

the third processing module is used for carrying out preset second data interaction with other node servers according to a preset protocol rule and the third intermediate data so as to generate a first part signature in a target digital signature of target information;

the fourth processing module is used for carrying out preset third data interaction with other node servers according to a preset protocol rule, the first random number, the target information, the second intermediate data and the first partial signature so as to generate a second partial signature in the target digital signature of the target information;

and the second generation module is used for generating a target digital signature of the target information according to the first partial signature and the second partial signature.

The present specification also provides a server comprising a processor and a memory for storing processor-executable instructions, wherein the processor executes the instructions to implement the steps related to the method for generating a digital signature.

The present specification also provides a computer readable storage medium having stored thereon computer instructions which, when executed, implement the relevant steps of the above-described method for generating a digital signature.

According to the method, when a plurality of node servers perform joint signature, any one of the plurality of node servers participating in the joint signature as a first node server can generate a first random number, a second random number and a first temporary private key first; and performing data interaction and verification for multiple times with other node servers by using the data according to a preset protocol rule integrating an ElGamal encryption algorithm and a class group encryption algorithm to generate a first part signature and a second part signature in a target digital signature of the target information in multiple times, so that a complete target digital signature related to the target information can be obtained. Therefore, the multi-threshold combined signature can be efficiently and safely realized on the premise of not revealing private key data held by each node server. The method effectively solves the technical problems of large calculation amount, low processing efficiency, large communication bandwidth and safety risk in the multi-party threshold joint signature of the existing method.

Drawings

In order to more clearly illustrate the embodiments of the present specification, the drawings needed to be used in the embodiments will be briefly described below, and the drawings in the following description are only some of the embodiments described in the present specification, and it is obvious to those skilled in the art that other drawings can be obtained according to the drawings without any creative effort.

Fig. 1 is a schematic diagram of an embodiment of a structural component of a system to which a method for generating a digital signature provided by an embodiment of the present specification is applied;

fig. 2 is a flowchart illustrating a method for generating a digital signature according to an embodiment of the present disclosure;

FIG. 3 is a diagram illustrating an embodiment of a method for generating a digital signature provided by an embodiment of the present specification, in an example scenario;

FIG. 4 is a diagram illustrating an embodiment of a method for generating a digital signature provided by an embodiment of the present specification, in an example scenario;

FIG. 5 is a schematic diagram of a server according to an embodiment of the present disclosure;

fig. 6 is a schematic structural component diagram of a digital signature generation apparatus provided in an embodiment of the present specification;

fig. 7 is a schematic diagram of an embodiment of a method for generating a digital signature provided by an embodiment of the present specification, in an example scenario.

Detailed Description

In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all of the embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments in the present specification without any inventive step should fall within the scope of protection of the present specification.

Considering that in an application scenario of multi-party threshold joint signature, the joint signature of the information to be signed can be normally completed only by the cooperation of the parties with the number larger than the threshold value; meanwhile, the data security of each participant is also required to be protected in the above scene, and the private key data held by the participant is prevented from being revealed to other participants. For the above scenario, most of the existing methods use a Paillier-based homomorphic encryption method to implement ECDSA signatures involving multiple parties.

However, based on the above method, because the Paillier homomorphic encryption is different from the modulus in the ECDSA system, it is necessary to introduce a heavier range zero knowledge proving subprotocol, so that the processing process is more complicated when the above method is implemented specifically, and a larger amount of calculation and communication bandwidth need to be consumed, thereby causing technical problems of low processing efficiency and large communication bandwidth.

Aiming at the root cause of the problems, the specification can comprehensively utilize specific characteristics and confidentiality requirements in an ElGamal encryption algorithm, a class group encryption algorithm and a multi-party threshold joint signature scene through creative labor consideration to construct a set of new protocol rules, namely preset protocol rules (also called a Promise Sigma protocol). Furthermore, each node server (for example, the first node server) of the plurality of node servers participating in the signature may perform data interaction with other node servers for multiple times according to the preset protocol rule, so as to generate the first partial signature and the second partial signature in the target digital signature in a time-sharing and secure manner, and thus, a complete target digital signature related to the target information may be obtained. Therefore, the multi-threshold combined signature can be efficiently and safely realized on the premise of not revealing private key data held by each node server.

Based on the above thought, the embodiments of the present specification provide a method for generating a digital signature, which may be specifically applied to a system including a plurality of node servers (e.g., node server 1, node server 2, node server 3, … … node server i, and … … node server n). In particular, reference may be made to fig. 1. Different node servers in the system can be connected in a wired or wireless mode, and specific data interaction is carried out.

In specific implementation, each node server in the plurality of node servers may respectively respond to the joint signature request carrying the target information to be signed, and generate a first random number, a second random number, and a first temporary private key.

Further, each node server in the plurality of node servers may encrypt the first random number by using the second random number and the first public key according to a preset protocol rule to obtain first ciphertext data; generating a first temporary commitment file about the first temporary public key using the first temporary private key; generating a first certification file about the first ciphertext data and the first temporary commitment file; the preset protocol rule is obtained according to an ElGamal encryption algorithm and a class group encryption algorithm.

Then, each node server of the plurality of node servers may broadcast a first data group including the first ciphertext data, the first temporary commitment file and the first certification file to the outside; and simultaneously receiving a first data group which is broadcasted by other node servers and contains first ciphertext data, a first temporary commitment file and a first certification file of other node services.

Each node server of the plurality of node servers may perform preset first data interaction with each node server of the other node servers respectively according to a preset protocol rule and the first data group broadcast by the other node servers, so as to obtain second intermediate data and third intermediate data.

Then, each node server of the plurality of node servers may perform preset second data interaction with other node servers according to a preset protocol rule and the third intermediate data to generate a first partial signature of the target digital signature of the target information.

Furthermore, each node server of the plurality of node servers may generate a second partial signature of the target digital signature of the target information by performing preset third data interaction with other node servers according to a preset protocol rule, the first random number, the target information, the second intermediate data, and the first partial signature.

Finally, the plurality of node servers may generate a target digital signature of the target information based on the first partial signature and the second partial signature.

In this way, any one of the node servers can set the generated target digital signature on the target information to complete the joint signature for the target information.

In this embodiment, the node server may specifically include a background server that is applied to a service platform side and is capable of implementing functions such as data transmission and data processing. Specifically, the node server may be, for example, an electronic device having data operation, storage function and network interaction function. Alternatively, the node server may also be a software program running in the electronic device and providing support for data processing, storage and network interaction. In this embodiment, the number of servers included in the node server is not particularly limited. The node server may be specifically one server, several servers, or a server cluster formed by several servers.

Through the system, each node server can efficiently and safely realize the multi-threshold combined signature on the premise of not revealing held private key data. The method solves the technical problems of large calculation amount, low processing efficiency, large communication bandwidth and safety risk in the multi-party threshold joint signature of the existing method.

Referring to fig. 2, an embodiment of the present disclosure provides a method for generating a digital signature. The method is particularly applied to the first node server side. In particular implementations, the method may include the following.

S201: responding to the joint signature request, and generating a first random number, a second random number and a first temporary private key; wherein the joint signature request carries at least target information to be signed.

In this embodiment, the method for generating the digital signature may be specifically applied to the first node server (the number of the node server may be denoted as i, and the corresponding first node server may be denoted as p)_i). The first node server may be specifically understood as any one of a plurality of node servers participating in joint signature.

Furthermore, the plurality of node servers participating in the joint signature perform the joint signature based on the multi-party threshold signature rule. The multi-party threshold signature rule may refer to: a plurality of (for example, n) node servers (or members) form a signature group (or signature system), and the signature group possesses a pair of group public key and group private key; in a specific signature, when a number of node servers in a group is greater than a threshold value (e.g., t) to participate in the signature, the plurality of node servers participating in the signature may perform signature on behalf of the group using a group private key, and any one of the node servers may perform signature verification using a group public key.

In this embodiment, the joint signature request may specifically be understood as request data in which node servers in a request group participate to cooperatively generate a digital signature for target information to complete a joint signature operation on the target information.

In this embodiment, the joint signature request may carry target information to be signed. In this embodiment, the target information may specifically be a trade order in a data processing scenario, an electronic security in an electronic security processing scenario, or a notification message to be transmitted in a communication interaction scenario. Of course, the above listed target information is only an illustrative description. In specific implementation, the target information to be signed may further include other types of data information for different application scenarios. The present specification is not limited to these.

In this embodiment, the joint signature request may be specifically initiated by the first node server, may be initiated by any node server in the group except the first node server, and may be initiated by a third party device outside the group, for example, a terminal device arranged at the user side.

In this embodiment, during the signature phase, reference may be made to fig. 3. In specific implementation, the first node server may respond to the joint signature request, and obtain target information (which may be denoted as m) carried in the joint signature request; and generating a first random number (which may be denoted as k) of the first node server according to a preset protocol rule_i) And a second random number (which may be designated as r)_i) And a first temporary private key (which may be noted as γ)_i)。

In this embodiment, the preset protocol rule may be specifically understood as a new protocol rule that is designed and constructed by combining the ElGamal encryption algorithm and the class group encryption algorithm and combining the scene characteristics of the multi-party threshold joint signature. Specifically, it can be written as: promise Sigma protocol (rules).

The ElGamal encryption algorithm may be specifically understood as an asymmetric encryption algorithm based on diffie-hellman key exchange in cryptography. The above-mentioned group encryption algorithm (also referred to as a group-based encryption technology) may be specifically understood as a data encryption algorithm designed for a system in which a plurality of group members participate together to assist in processing data.

In this embodiment, in the signature Phase, referring to Phase (step) 1 in fig. 3, when implemented, the first node server may beTo range from a first numerical value (which may be noted as: Z)_qOr as used in FIG. 3

) An inner random number is extracted as a first random number, which can be expressed as: k is a radical of_i←Z_q. Specifically, the first numerical range may be greater than 0 and equal to or less than q, and q is a prime number. Meanwhile, the first node server may randomly extract a value from the first value range as the first temporary private key, which may be represented as: gamma ray_i←Z_q。

In this embodiment, in order to find the second random number that meets the preset protocol rule from a larger integer range, in a specific implementation, the first node server may obtain the second random number from a second value range (which may be denoted as S)]) And (3) internally randomly drawing a numerical value as a second random number, which can be expressed as: r is_i←[S]. Wherein, the S may be specifically expressed as a subgroup in class group encryption

Is approximately upper bound.

In this embodiment, while the first node server responds to the joint signature request in the above manner to generate the first random number, the second random number, and the first temporary private key of the first node server, the other node servers (which may be denoted as { p }_j}_j≠i) The first random number, the second random number, and the first temporary private key of the own party may each be generated in the same manner. The other node servers may be specifically understood as node servers participating in joint signature except for the first node server.

In this embodiment, a set of a plurality of node servers (including the first node server and other node servers) participating in the joint signature in the signature group at this time may be denoted as S. Wherein, the number of node servers contained in S is greater than a preset threshold (which may be denoted as t), i ∈ S and

n is the total number of node servers in the signature group.

It should be noted that, the node servers participating in the joint signature in the set D respectively hold their own threshold sharding private key (X) and first private key (sk), and disclose their own threshold sharding public key (pk) and first public key (X) to other node servers. The acquisition of the above data will be described later in detail.

S202: encrypting the first random number by using the second random number and the first public key according to a preset protocol rule to obtain first ciphertext data; generating a first temporary commitment file about the first temporary public key using the first temporary private key; generating a first certification file about the first ciphertext data and the first temporary commitment file; the preset protocol rule is obtained according to an ElGamal encryption algorithm and a class group encryption algorithm.

In this embodiment, referring to Phase1 in fig. 3, in a specific implementation, the first node server may utilize the second random number and the first public key (which may be denoted as pk) according to a preset protocol rule_i) Encrypting the first random number to obtain corresponding first ciphertext data (which may be recorded as

). For example,

in this embodiment, in a specific implementation, the first node server may generate, according to a preset protocol rule, a first temporary commitment file (which may be denoted as c) about the first temporary public key by using the first temporary private key_i). E.g. c_i←Com(γ_iP). Specifically, P (may be also referred to as G) may be represented as a generator having a prime number of the order on the elliptic curve based on the ECDSA digital signature.

In the present embodiment, the Digital Signature (Digital Signature): the public key digital signature can be specifically understood as a digital string which can be generated only by a signer holding information and cannot be forged by other people, and the digital string is also a valid proof for sending information authenticity to the signer of the information.

In the present embodiment, ECDSA (Elliptic Curve Digital Signature Algorithm) can be specifically understood as a Signature Algorithm that uses Elliptic Curve Cryptography (ECC) to simulate a Digital Signature Algorithm (DSA).

Accordingly, the digital signature referred to in the present embodiment may specifically be an ECDSA digital signature. It should be noted that the ECDSA digital signature listed above is only an exemplary one, and the method for generating a digital signature provided in this specification is not limited to be adaptively generalized and applied to other types of digital signatures according to specific application scenarios and specific characteristics of the signature algorithm used.

In this embodiment, in specific implementation, the first node server may further generate, according to a preset protocol rule, an NIZK certificate (which may be denoted as pi) about the first ciphertext data and the first temporary commitment file_i) The file, as a first certification file. The above-mentioned NIZK proof is understood to be a non-interactive zero-knowledge proof generated using the Promise Sigma protocol.

In this embodiment, the other node servers may respectively generate the first ciphertext data, the first temporary commitment file, and the first certification file of the own party in the same manner.

S203: broadcasting a first data group containing the first ciphertext data, a first temporary commitment file and a first certification file to the outside; and receiving the first data group broadcast by the other node servers.

In this embodiment, the first node server may obtain the first data group of the first node server by combining the first ciphertext data, the first temporary commitment file and the first certification file, for example, (c)_i，

π_i). Further, the first data group may be broadcast to the outside in a group. Accordingly, other node servers may receive the first number broadcast by the first node serverAccording to the group.

Meanwhile, other node servers may also generate and broadcast the first data group including the first ciphertext data, the first temporary commitment file and the first data group of the first certification file of the own party to the outside. Accordingly, the first node server may receive the first data group broadcast by the other node servers.

S204: and according to a preset protocol rule and the first data group broadcast by the other node servers, respectively carrying out preset first data interaction with each node server in the other node servers to obtain second intermediate data and third intermediate data.

In an embodiment, the second intermediate data and the third intermediate data are obtained by performing preset first data interaction with each node server in the other node servers according to the preset protocol rule and the first data group broadcast by the other node servers, and the specific implementation may include the following contents.

S1: generating and sending corresponding first-class parameter data, second ciphertext data and third ciphertext data to each node server in the other node servers according to a preset protocol rule and the first data group broadcast by the other node servers; and receiving the first type of parameter data, the second ciphertext data and the third ciphertext data which are generated and sent by the other node servers and correspond to the first node server.

In this embodiment, when the first node service is implemented specifically, according to a preset protocol rule, the first node service may perform one-to-one data interaction with other node servers through two side channels, so as to generate and send corresponding first type parameter data, second ciphertext data, and third ciphertext data to each node server in the other node servers; and receiving first-class parameter data, second ciphertext data and third ciphertext data which are generated and sent by other node servers and correspond to the first node server.

In an embodiment, the generating and sending the corresponding first-type parameter data, second ciphertext data, and third ciphertext data to each node server in the other node servers according to the preset protocol rule and the first data group broadcast by the other node servers may, in specific implementation, include:

s1-1: generating a third random number and a fourth random number aiming at the current node server, and generating first type parameter data corresponding to the current node server according to the fourth random number;

s1-2: according to a preset protocol rule and the first data group broadcast by the other node servers, the first ciphertext data broadcast by the current node server are utilized, and homomorphic encryption processing is carried out to obtain second ciphertext data and third ciphertext data corresponding to the current node server;

s1-3: and sending a second data group at least comprising the first type of parameter data, the second ciphertext data and the third ciphertext data corresponding to the current node server.

In this embodiment, any node server with the number j in the other node servers is taken as the current node server (which may be denoted as p)_j) The description is made specifically for the purpose of example.

Referring to Phase2 in FIG. 3, the first node server may generate a third random number (which may be denoted as β) for the current node server_j,i) And a fourth random number (which may be noted as v)_j,i). In particular, e.g. beta_j,i，υ_j,i←Z_q. And calculates the first type parameter data (B) based on the fourth random number_j,i). For example, B_j,i＝υ_j,iP。

Further, the first node server may utilize the first ciphertext data of the current node server in the first data group broadcasted by the current node server according to a preset protocol rule

Obtaining second ciphertext data (which may be recorded as "ciphertext") of the first node server for the current node server by performing corresponding homomorphic encryption processing

) And third ciphertext data (which may be denoted as

)。

When the above homomorphic encryption processing is implemented, the following contents may be included: first a new random number t_j,i，tt_j,i←[qS]. Referring to FIG. 3, tt_j,iCan also be recorded as

Specifically, the new random number can be calculated according to the following formula: t is t_p,ji＝t_j,imodq，tt_p,ji＝tt_j,imodq. Wherein q is a prime number. Then according to the preset protocol rule, the homomorphism property of the promise encryption is utilized, and the use of the promise encryption is realized

The corresponding cipher text is obtained by the following calculation formula

Wherein,

representing an exponential operation on the ciphertext data,

representing a homomorphic addition operation on the ciphertext data. As described above

The plain texts are respectively: k is a radical of_j(γ_i+tt_j,i)-β_j,imodq，k_j(w_i+t_j,i)-υ_j,imodq。

The first node server may further combine the second data group of the first type parameter data, the second ciphertext data, and the third ciphertext data to obtain a corresponding second data group, for example, (b), (c), (d), and (d)

B_j,i) (ii) a And sending the second data group to the corresponding current node server. Wherein, the second data group further comprises a new random number t used in calculating the second ciphertext data and the third ciphertext data_j,i，tt_j,i。

In a similar manner, the other node servers may also generate a second data group for the first node server and send the second data group to the first node server through the two-way channel. In this way, the first node server may receive the second data group for the own party generated and sent by the other node servers.

S2: and decrypting the received second ciphertext data and the third ciphertext data to obtain second-class parameter data and third-class parameter data respectively corresponding to other node servers.

In this embodiment, it is exemplified that the current node server with the number j decrypts the second ciphertext data and the third ciphertext data sent by the first node server.

After the current node server receives the second group sent by the first order receiving server, the current node server may first use the own party's own hold after the second ciphertext data and the third ciphertext data are receivedSome first random number k_jAnd a new random number t_j,i，tt_j,iDecrypting the second ciphertext data and the third ciphertext data to obtain corresponding plaintext data as a second type of parameter data (e.g., alpha)_j,i) And a third type of parametric data (e.g., μ_j,i) I.e. alpha_j,i＝k_j(γ_i+tt_j,i)-β_j,imodq，μ_j,i＝k_j(w_i+t_j,i)-υ_j,imodq。

In a similar manner, the first node server and the other node servers may decrypt the second ciphertext data and the third ciphertext data sent by the other node servers respectively to obtain the corresponding second type parameter data and the corresponding third type parameter data.

S3: and according to a preset protocol rule, performing first verification by using the first random number, the threshold fragmentation public key of other node servers, and the second type parameter data and the third type parameter data corresponding to other node servers.

In this embodiment, take the current node server with the number j as an example to perform the first verification for the first node server.

The current node server may detect whether the following equation is satisfied according to a first random number held by the own party, a threshold fragment public key of the first node server, and second-class parameter data and third-class parameter data corresponding to the first node server, to perform a first verification:

k_jW_i＝μ_j,iP+B_j,i

wherein k is_jIs the first random number, W, of the current node server_iThreshold sharding public key, mu, for a first node server_j,iFor the third type of parameter data corresponding to the first node server (which may also be referred to as the third type of parameter data of the current node server for the first node server), B_j,iIs a first type of parameter data (which may also be referred to as a first type of parameter data for the first node server with respect to the current node server). Wherein the threshold fragmentation public key of the first node server is based on the first node serviceThe device is held and secret, and the threshold shard private key of the first node server is externally disclosed.

If the equation is detected to be established, determining that the first verification of the current node server for the first node server is passed; otherwise, determining that the first verification of the current node server aiming at the first node server is not passed.

In the same manner, each node server may perform the first authentication on the node server that sends the second data group to the own party.

If the first verification of each node server aiming at all the node servers is verified to pass, the first verification is determined to pass, and then the node servers can be determined to be performed according to the preset protocol rule, so that the node servers are safe and effective, and subsequent data processing can be continued. If at least one of the first verifications of all the node servers is not passed, the first verification is determined to be not passed, and further the risk is determined to exist, and the subsequent data processing is terminated in order to protect the data security of the participator. By the method, the data security of the node servers participating in the signature is effectively protected.

S4: and under the condition that the first verification is determined to pass, generating first intermediate data and second intermediate data of the first node server by using the first random number, the first temporary private key and second type parameter data and third type parameter data corresponding to other node servers.

In this embodiment, when it is determined that the first authentication passes, taking the first node server as an example, the first intermediate data and the second intermediate data of the first node server may be obtained by calculating according to the following equations by using the first random number, the first temporary private key, and the second type parameter data and the third type parameter data corresponding to other node servers:

δ_i＝k_iγ_i+∑_j≠i(α_i,j+β_i,j)，σ_i＝k_iw_i+∑_j≠i(μ_i,j+υ_i,j)

wherein, delta_iIs the first intermediate data of the first node server, sigma_iSecond intermediate data of the first node server.

In the same manner, the other node servers may respectively calculate the respective first intermediate data and second intermediate data.

S5: broadcasting the first intermediate data externally; and receiving the first intermediate data broadcast by the other node servers.

In this embodiment, the first node server may broadcast the own first intermediate data to the outside, and correspondingly, the other node servers may receive the first intermediate data of the first node server. Meanwhile, other node servers may broadcast the own first intermediate data to the outside, and correspondingly, the first node server may receive the first intermediate data broadcast by the other node servers.

S6: and generating third intermediate data according to the first intermediate data of the first node server and the first intermediate data broadcast by other node servers.

In this embodiment, referring to Phase3 in fig. 3, the first node server may accumulate the first intermediate data broadcast by the other node servers and the first intermediate data of the own party to obtain corresponding third intermediate data. Specifically, the third intermediate data may be calculated according to the following equation: delta ═ Σ_i∈Sδ_i. Where δ is the third intermediate data.

In the same manner, the other node servers may respectively calculate the third intermediate data.

In an embodiment, after receiving the first data group broadcast by the other node server, the first node server may first extract the first certification file from the first data group, and verify whether the first temporary commitment file and the first ciphertext data in the first data group broadcast by the other node server meet the preset protocol rule according to the first certification file. Similarly, other node servers will perform the same authentication. If there is a first credential in the first data set that fails verification, subsequent data processing is terminated. Thereby more effectively protecting the data security of the participants.

S205: and according to a preset protocol rule and the third intermediate data, performing preset second data interaction with other node servers to generate a first part signature in the target digital signature of the target information.

In an embodiment, the generating of the first partial signature in the target digital signature of the target information by performing the preset second data interaction with the other node server according to the preset protocol rule and the third intermediate data may include the following steps in specific implementation.

S1: and opening the first temporary commitment file according to a preset protocol rule so that other node servers obtain the first temporary public key of the first node server.

In this embodiment, referring to Phase4 in fig. 3, the first node server may open the first temporary commitment file c in the first data group broadcast before_iTherefore, other node servers can obtain the first temporary public key of the first node server: gamma-shaped_j＝γ_iP。

In the same way, the other node server may open the first temporary commitment file in the first data group broadcasted before so that the other node server can obtain the first temporary public key of the own party.

S2: a first temporary certification document about the first temporary public key is generated and broadcast out.

In this embodiment, referring to Phase4 in fig. 3, the first node server may further generate an NIZK certification document regarding the first temporary public key as a first temporary certification document, which is recorded as a first temporary certification document

Wherein the first temporary certificate is for certifying the presence of a gamma_iSo that there is a first temporary public key gamma_iAnd P. The first node server may broadcast the first temporary proof file externally.

In the same manner, the other node servers may generate and externally broadcast the corresponding first temporary certification document.

S3: and acquiring the first temporary public key of the other node server and the first temporary certification file broadcast by the other node server.

In this embodiment, in the above manner, the first node server and the other node servers may respectively obtain the first temporary public key of each node server; meanwhile, the first temporary commitment file and the first temporary certification file sent by other node servers can be respectively received. For example, a first node server may receive a first temporary commitment file for other node servers, which may be denoted as { c_i}_j∈S,j≠iAnd a first temporary proof document, which may be written as { π_jγ}_j∈S,j≠i。

S4: and performing second verification according to the first temporary public key of the other node server and the first temporary certification file broadcast by the other node server.

In this embodiment, the first node server may verify the first temporary public key according to the first temporary public key of the other node servers, and the corresponding first temporary certification file and the corresponding first temporary commitment file, so as to determine whether the first temporary public key is generated according to the preset protocol rule.

In the same manner, the other node server may also verify the first temporary public key of the other node server.

If all the first temporary public keys are verified, the second verification is determined to be passed, and the subsequent data processing can be continued. If at least one of the verification failures is determined, the second verification failure is determined, and the subsequent data processing can be terminated, so that the data security of the participants can be effectively protected.

S5: and under the condition that the second verification is determined to pass, generating a first part signature in the target digital signature of the target information according to a preset protocol rule, the third intermediate data and the first temporary public key of the other node server.

In an embodiment, the generating a first partial signature in the target digital signature of the target information according to the preset protocol rule, the third intermediate data, and the first temporary public key of the other node server may include:

s5-1: calculating first target data according to a preset protocol rule, the third intermediate data and the first temporary public key of the other node server;

s5-2: and determining the abscissa value of the first target data as the first partial signature.

In an embodiment, the calculating the first target data according to the preset protocol rule, the third intermediate data, and the first temporary public key of the other node server may include:

calculating the first target data according to the following equation:

R＝δ^-1(∑_j∈SΓ_j)

In this embodiment, the determining of the abscissa value of the first target data as the first partial signature may be implemented by splitting the first target data R into an ordinate value corresponding to the ordinate y and an abscissa value corresponding to the abscissa x, and further determining the abscissa value as the first partial signature, which may be denoted as R. In particular, see also Phase4 in fig. 3.

In one embodiment, a hash value of the first target data may also be calculated as the first partial signature using a hash function.

In the same way, the other node servers may respectively calculate the first partial signature.

S206: and according to a preset protocol rule, the first random number, the target information, the second intermediate data and the first partial signature, performing preset third data interaction with other node servers to generate a second partial signature in the target digital signature of the target information.

In an embodiment, the generating of the second partial signature in the target digital signature of the target information by interacting with the preset third data of the other node server according to the preset protocol rule, the first random number, the target information, the second intermediate data, and the first partial signature may be implemented as follows.

S1: and constructing component data of a second signature of the first node server according to the first random number, the target information, the second intermediate data and the first partial signature.

In an embodiment, the constructing component data of the second signature of the first node server according to the first random number, the target information, the second intermediate data, and the first partial signature may be implemented by:

s_i＝k_im+σ_ir

In this embodiment, in implementation, referring to Phase5 in fig. 3, the hash value of the target information is calculated according to the following equation: obtaining a target hash value m'; and then the target hash value m' is used to replace the target information m to calculate the corresponding component data s of the second signature_i。

In the same manner, the other node servers may respectively calculate the component data of the respective second signature.

S2: and constructing the first and second intermediate data according to the component data of the second signature and the first partial signature according to a preset protocol rule.

In this embodiment, when implemented, the first node server may construct the first intermediary data and the second intermediary data of the first node server according to the following equation:

V_i＝s_iR+l_iP，A_i＝ρ_iP

wherein, V_iAs first intermediate data, A_iFor second intermediate data, p_iIs a fifth random number,/_iIs a sixth random number, and R is the first target data. Wherein the fifth random number and the sixth random number are generated as follows: rho_i,l_i←Z_q。

In the same manner, the other node servers may respectively construct the own first intermediation data and second intermediation data.

S3: a first broker commitment file regarding the first broker data and the second broker data is generated and broadcasted outside.

In this embodiment, referring to Phase5 in fig. 3, when the first node server is implemented, the first intermediate commitment file (which may be denoted as c 1) may be generated as follows_i)：cl_i←Com(V_i，A_i). And broadcasts the first intermediary commitment file.

In the same manner, the other node servers may generate and broadcast the corresponding first intermediary commitment file, respectively.

S4: and in case that the first intermediary commitment file broadcasted by the other node server is determined to be received, opening the first intermediary commitment file to enable the other node server to obtain the first intermediary data and the second intermediary data of the first node server.

In this embodiment, the first node server receives all the first intermediary commitment files (e.g., { c1 }_j}_j∈S,j≠i) In this case, the first mediation commitment file c1 of the own party may be opened_iSo that other node servers can obtain the first intermediary data and the second intermediary data of the first node server.

In the same manner, the other node servers may open the own first intermediary commitment file, respectively. Accordingly, the first node server may obtain the first intermediary data and the second intermediary data of the other node servers.

S5: a first intermediation certificate concerning the first intermediation data and the second intermediation data is generated and broadcasted externally.

In this embodiment, the first node server may further generate an NIZK certificate as the first intermediary certificate, which may be denoted as pi, regarding the first intermediary data and the second intermediary data_iVA. Wherein the first intermediary certificate is for proving presence(s)_i,ρ_i,l_i) So that V_i＝s_iR+l_iP，A_i＝ρ_iP holds. Further, the first node server may broadcast the first intermediary certificate to the outside.

In the same manner, the other node servers may generate and broadcast the corresponding first intermediation certificate.

S6: and acquiring the first and second intermediate data of other node servers and the first intermediate certificate broadcasted by other node servers.

S7: and performing third verification according to the first and second intermediate data of the other node servers and the first intermediate certificate broadcasted by the other node servers.

In this embodiment, the first node server may combine the left and right zero knowledge certificates according to the first intermediary data and the second intermediary data of the other node servers and the first intermediary certificate files broadcast by the other node servers to verify whether the received first intermediary data and second intermediary data and the related commitments and certificates are accurate.

Similarly, the other node servers may verify the received first and second intermediary data and the associated commitments and proofs as to whether they are accurate in the same manner.

In the case where all of the determinations are accurate, it is determined that the third verification passes, and the subsequent data processing can be continued. Accordingly, in the case where it is determined that there is at least one inaccuracy, it is determined that the third verification fails, and the subsequent data processing is terminated, so that the data security of the participating party can be protected.

S8: broadcasting component data of a second signature of the first node server to the outside in case that the third verification is determined to pass; and receives component data of the second signature broadcast by the other node servers.

S9: and generating a second partial signature in the target digital signature of the target information according to the component data of the second signature of the first node server and the component data of the second signature broadcast by other node servers.

In an embodiment, in order to further protect the data security of the participant, when the method is implemented after the third authentication is determined to pass, the following may be further included.

S1: constructing third intermediary data and fourth intermediary data by using the component data of the second signature, the first partial signature, the signature public key, the first intermediary data and the second intermediary data according to a preset protocol rule;

s2: generating and broadcasting externally a second broker commitment file regarding the third broker data and fourth broker data;

s3: under the condition that the second intermediary commitment file broadcasted by other node servers is determined to be received, the second intermediary commitment file is opened so that the other node servers can obtain third intermediary data and fourth intermediary data of the first node server;

s4: acquiring third intermediary data and fourth intermediary data of other node servers;

s5: performing fourth verification according to the third intermediary data and the fourth intermediary data of the other node servers and the third intermediary data and the fourth intermediary data of the first node server;

accordingly, the method can be used for solving the problems that,

In this embodiment, referring to Phase5 in fig. 3, when the third intermediary data and the fourth intermediary data are constructed by using the component data of the second signature, the first partial signature, the public signature key, the first intermediary data and the second intermediary data according to the preset protocol rule, the first node server may construct the third intermediary data and the fourth intermediary data of the first node server according to the following equations:

U_i＝ρ_iV＝ρ_i(-mP-rQ+∑_i∈SV_i)，T_i＝l_iA＝l_i∑_i∈SA_i

wherein, U_iThird intermediary data, T, for the first node server_iFourth intermediate data, rho, for the first node server_iIs a fifth random number,/_iIs the sixth random number and Q is the public signature key.

In the same manner, the other node servers may generate respective third intermediation data and fourth intermediation data, respectively.

In this embodiment, the first node server may generate a second intermediary commitment file (which may be denoted as c 2) regarding the third intermediary data and the fourth intermediary data in the following manner_i)：c2_i←Com(U_i,T_i) (ii) a And broadcasting the second medium acceptance file to the outside.

In the same manner, the other node servers may generate and broadcast the corresponding second intermediate commitment file to the outside, respectively.

In this embodiment, in a case where the first node server determines that the second intermediary commit file broadcasted by the other node server is received, the second intermediary commit file may be opened so that the other node server obtains the third intermediary data and the fourth intermediary data of the first node server. Accordingly, the other node server may open a second intermediary commitment file of the own party, and the first node server may obtain third intermediary data and fourth intermediary data of the other node server.

In this embodimentThe first node server may verify the received second intermediate commitment file as accurate according to the received third intermediate data, fourth intermediate data and second intermediate commitment file of the other node server, and terminate the subsequent data processing if an error is found. If the received second intermediary commitment file is found to be accurate, further verifying that the received third intermediary data and fourth intermediary data for each node server satisfy the following data relationships: sigma_i∈ST_i＝∑_i∈SA_i. In a case where it is determined that the above-described data relationship is not satisfied, the subsequent data processing is terminated. In a case where it is determined that the above data relationship is satisfied, the fourth verification for which the first node server is responsible is considered to pass.

In the same manner, the other node servers may perform the fourth authentication for which the own party is responsible, respectively. And under the condition that the fourth verification in charge of each node server passes, determining that the fourth verification passes, and further continuing the subsequent data processing. In contrast, in the case where at least one of the fourth verifications for which the respective node servers are responsible fails, it is determined that the fourth verification fails, and the subsequent data processing may be terminated.

In this embodiment, in the case that it is determined that the fourth verification passes, the first node server may externally broadcast the component data of the second signature of the first node server. Meanwhile, other node servers may broadcast component data of the second signature of the own party to the outside.

Accordingly, the other node servers may obtain the second signed component data broadcast by the first node server, and the first node server may obtain the second signed component data broadcast by the other node servers.

Further, the first node server may generate a second partial signature in the target digital signature of the target information according to the following equation, based on the component data of the second signature of the first node server and the component data of the second signature broadcast by other node servers:

s＝∑_i∈Ss_i

wherein s is the second partial signature.

In the same manner, the other node servers may generate corresponding second partial signatures, respectively. See Phase5 in fig. 3.

S207: and generating a target digital signature of the target information according to the first partial signature and the second partial signature.

In this embodiment, the first node server may obtain a complete digital signature, for example, (r, s) as a target digital signature of the target information by combining the first partial signature and the second partial signature.

Further, the first node server may place the target digital signature on the target information.

In this embodiment, in specific implementation, the other node servers may also generate the target digital signature according to the above-described manner, and further may set the target digital signature on the target information.

In this embodiment, based on the method, when the plurality of node servers perform joint signature, any first node server in the plurality of node servers participating in the joint signature may first generate a first random number, a second random number, and a first temporary private key; and performing data interaction and verification for multiple times with other node servers by using the data according to a preset protocol rule integrating an ElGamal encryption algorithm and a class group encryption algorithm to generate a first part signature and a second part signature in a target digital signature of the target information in multiple times, so that a complete target digital signature related to the target information can be obtained. Therefore, the multi-threshold combined signature can be efficiently and safely realized on the premise of not revealing private key data held by each node server. The method effectively solves the technical problems of large calculation amount, low processing efficiency, large communication bandwidth and safety risk in the multi-party threshold joint signature of the existing method.

In an embodiment, the generating the first random number, the second random number, and the first temporary private key in response to the joint signature request may include the following steps:

s1: responding to the joint signature request, and generating and broadcasting confirmation information to the outside under the condition of determining to participate in the joint signature;

s2: receiving confirmation information broadcast by other node servers;

s3: counting the number of node servers broadcasting the acknowledgement information;

s4: and under the condition that the number of the node servers broadcasting the confirmation information is larger than a preset threshold value, generating a first random number, a second random number and a first temporary private key.

In this embodiment, when it is determined that the number of node servers broadcasting the acknowledgment information is greater than a preset threshold (e.g., t), it is determined that the number of node servers participating in the joint signature is valid, and then the node servers sending the acknowledgment information may be divided into a node server set, which is denoted as D, and subsequent data processing is triggered. On the contrary, in the case that the number of node servers broadcasting the confirmation information is less than or equal to the preset threshold value, it is determined that the number of confirmation participation joint signatures is invalid, and subsequent data processing is not triggered.

In one embodiment, before generating the first random number, the second random number, and the first temporary private key in response to the joint signature request, reference may be made to fig. 4 in particular in the key generation stage. The method can also comprise the following contents when being implemented.

S1: and generating a first public key, a first private key, a first partial signature private key and a first partial signature public key according to a preset protocol rule.

In one embodiment, the first public key specifically may include: public key data based on an ElGamal encryption algorithm and public key data based on a class group encryption algorithm; the first private key may specifically include: private key data based on the ElGamal encryption algorithm and private key data based on the class group encryption algorithm.

In this embodiment, in specific implementation, the first node server may generate a new packet including two public packets according to a preset protocol rule by using an ElGamal encryption algorithm and a group encryption algorithm simultaneouslyThe key data and the public and private key pair of the two private key data can be recorded as (pk)_i，sk_i). Wherein sk_iIs a first private key, pk_iIs the first public key.

Further, the node server extracts a random number as a first partial signature private key u_iE.g. u_i←Z_q. In addition, the first node server can generate a corresponding first partial signature public key Q according to the first partial signature private key_iFor example, the first partial signature public key is calculated according to the following equation: q_i＝u_iAnd P. Wherein, the upper order of the P elliptic curve is a generator of prime numbers.

In the same manner, the other node servers may generate the first public key, the first private key, the first partial signature private key, and the first partial signature public key, respectively.

S2: a third data set is generated and broadcast out containing a first partial commitment file and a first public key for the first partial signature public key.

In this embodiment, the first node server may generate a first partial commitment file kgc for a first partial public signature key_i. Specifically, for example, kgc_i←Com(u_iP). Further, the first partial commitment file and the first public key may be combined to obtain a third data set, e.g., (pk)_i，kgc_i). And broadcasting the third data group to the outside.

In a similar manner, the other node servers may generate and externally broadcast the third data group.

S3: and in the case of determining that the third data group broadcasted by the other node servers is received, opening the first partial commitment file so that the other node servers obtain the first partial signature public key of the first node server.

In this embodiment, the first node server may receive the third data group broadcast by the other node servers, and correspondingly, the other node servers may receive the third data group broadcast by the first node server.

In this embodiment, after receiving the third data group broadcast by the other node servers, the first node server may open the first partial commitment file of its own party, so that the other node servers may obtain the first partial signature public key of the first node server. Accordingly, the other node server may open the own first partial commitment file, so that the first node server may obtain the first partial signature public key of the other node server.

S4: and acquiring and performing fifth verification according to the first part of signature public keys of other node servers.

In this embodiment, the first node server may verify, according to the acquired first part of signature public keys of the other node servers, the first part of commitment files in the third data group that is broadcast before by the other node servers, to determine whether the first part of commitment files is accurate, and terminate subsequent data processing when inaccuracy is detected; and when all the first part commitment files are detected to be accurate, determining that the fifth verification which is taken charge of by the first node server passes.

In the same manner, the other node servers may respectively perform the responsible fifth authentication.

And under the condition that the fifth verification which is responsible for all the node servers is determined to pass, determining that the fifth verification passes, and continuing the subsequent data processing. In contrast, if it is determined that there is a fifth verification failure for which at least one node server is responsible, it is determined that the fifth verification failure occurs, and the subsequent data processing is terminated. Thereby protecting the data security of the participating parties in the key generation phase.

If the fifth verification passes, the first node server may generate a signature public key Q according to the following equation and the first part of signature public keys of other node servers: q ═ Σ_i∈[n]Q_i。

In the same way, other node servers can also calculate the same public signature key Q.

S5: and under the condition that the fifth verification is determined to pass, generating a threshold fragment private key and a threshold fragment public key of the first node server according to a preset protocol rule, a preset threshold value and the first part of signature public key, and broadcasting the threshold fragment public key to the outside.

In an embodiment, the threshold fragment private key and the threshold fragment public key of the first node server are generated according to a preset protocol rule, a preset threshold value, and the first part of signature public key.

S5-1: and constructing a target polynomial with the times being a preset threshold value according to a preset protocol rule.

In this embodiment, the first node server may construct the target polynomial in the following manner:

p_i(X)＝u_i+σ_k∈[t]a_i,kX^kmodq

wherein the coefficient a_i,kIs a randomly drawn number, q is a prime number, and X is an unknown number.

S5-2: and interacting with other node servers according to the target polynomial to acquire the threshold parameters of the other node servers aiming at the first node server.

In this embodiment, the first node server may generate corresponding threshold parameters for each node server in the other node servers according to the target polynomial; and then the threshold parameter is sent to the node server through a two-party channel with the node server.

Specifically, taking the example that the first node server generates the threshold parameter of the current node server with the number j, the value of X may be made to be j, and the value of the target polynomial may be calculated as the threshold parameter corresponding to the current node server, for example, σ_i,j＝p_i(j) In that respect Then, the threshold parameter sigma is used_i,jAnd the information is sent to the current node server through two channels independently. As can be seen in fig. 4.

In the same manner, each node server may generate a threshold parameter, and send the threshold parameter to the corresponding node server.

In this embodiment, the first node server may further calculate the verification parameter according to the target polynomial in the following manner: v_i,k＝a_i,kAnd P, constructing and obtaining a verification parameter sequence: { V_i,k}_k∈[t]And broadcasting the verification parameter sequence to the outside.

Correspondingly, other node servers can construct and broadcast the verification parameter sequence externally according to the same mode.

S5-3: and generating a threshold fragmentation private key of the first node server according to the threshold parameters of other node servers aiming at the first node server.

In this embodiment, the first node server may receive the threshold parameter sent by the other node servers, and correspondingly, the other node servers may receive the threshold parameter sent by the first node server.

In this embodiment, before generating the threshold slice private key, the received threshold parameter may also be verified according to the received verification parameter sequence.

Specifically, the threshold parameter σ sent by the current node server with the verification number j of the first node server is used_j,iFor example. The threshold parameter σ can be determined by detecting whether the following equation holds_j,iWhether the verification is accurately carried out is as follows:

according to the mode, if the first node server and the other node servers find that at least one threshold parameter is inaccurate, the verification is not passed, and the subsequent data processing can be terminated. Conversely, if all threshold parameters are determined to be accurate, the verification is passed and subsequent data processing can be performed.

In this embodiment, in specific implementation, when the first node server determines that the verification passes, the threshold shard private key (which may be denoted as x) of the first node server may be generated according to the following equation_i)：x_i＝∑_i∈[n]σ_k.i。

In the same way, other node servers can respectively generate respective threshold fragment private keys. The threshold fragment private key is kept by the generated node server and is not disclosed to the outside.

S5-4: and generating a threshold sharding public key of the first node server according to the threshold sharding private key of the first node server.

In this embodiment, when the first node server is implemented, the corresponding threshold shard public key may be generated according to the following equation: x_i＝x_iP。

Further, the first node server can also generate an NIZK certification file about the threshold fragmentation public key, and the NIZK certification file is used as a certification file of the threshold fragmentation public key and is recorded as a pi certification file_k,g,i. Furthermore, the first node server may broadcast the threshold fragmentation public key and the certification document of the threshold fragmentation public key to the outside. Wherein, the certification file of the threshold fragmentation public key is used for certifying that a corresponding threshold fragmentation private key x exists_iSo that X_i＝x_iP holds.

In the same manner, other node servers may generate and externally broadcast their respective threshold shard public keys and certification documents of the threshold shard public keys.

Therefore, each node server can receive and obtain the threshold fragmentation public key of all the node servers and the certification file of the threshold fragmentation public key.

Further, each node server may perform verification according to the received threshold fragmentation public key and the received certification document of the threshold fragmentation public key, so as to verify whether the received certification documents of all the threshold fragmentation public keys and the threshold fragmentation public key are accurate. If there is at least one inaccuracy, the verification is not passed, the subsequent data processing is terminated, and if all are accurate, the verification is passed.

Through the embodiment, each node server in the signature group can respectively obtain and hold the threshold sharding private key introduced with the multi-party threshold signature technology and the threshold sharding public keys of other node servers. The threshold fragmentation public keys of the node servers with the number larger than the preset threshold value can be combined to obtain a complete signature public key Q.

In one embodiment, before the key generation stage is completed and the digital signature stage is entered, the following preprocessing may be performed.

Taking the preprocessing of the first node server as an example, the security parameter λ of the first node server may be calculated according to the following formula_i：λ_i＝Π_j∈S,j≠i(-j)/Π_j∈S,j≠i(i-j)。

Further, the following formula can be calculated by using the security parameters, the threshold fragment private key and the threshold fragment public key: w_k＝λ_kX_kK ∈ S, and w_i＝λ_ix_i. And the number of the node servers contained in the S is greater than a preset threshold value t.

Due to, { X_k}_k∈SThe private key of the threshold fragment is public, but the private key of the threshold fragment is secret, so that the first node server only knows the private key x of the threshold fragment held by the first node server_i. Accordingly, the first node server may calculate the following relationship data: { X_k}_k∈SAnd w_i. Wherein, the relationship data satisfies the following threshold signature relationship: sigma_k∈SW_k＝Q。

Of course, other node servers may also perform preprocessing in the above manner to obtain the above relationship data.

Through the preprocessing, each node server participating in the joint signature can respectively have the threshold sharding private key held by the own party and the threshold sharding public key of each node server meeting the threshold signature relationship, so that preparation can be made for subsequent digital signatures.

As can be seen from the above, according to the method for generating a digital signature provided in the embodiments of the present specification, when a plurality of node servers perform joint signature, any first node server of the plurality of node servers participating in the joint signature may generate a first random number, a second random number, and a first temporary private key first; and performing data interaction and verification for multiple times with other node servers by using the data according to a preset protocol rule integrating an ElGamal encryption algorithm and a class group encryption algorithm to generate a first part signature and a second part signature in a target digital signature of the target information in multiple times, so that a complete target digital signature related to the target information can be obtained. Therefore, the multi-threshold combined signature can be efficiently and safely realized on the premise of not revealing private key data held by each node server. The method effectively solves the technical problems of large calculation amount, low processing efficiency, large communication bandwidth and safety risk in the multi-party threshold joint signature of the existing method.

Embodiments of the present specification further provide a server, including a processor and a memory for storing processor-executable instructions, where the processor, when implemented, may perform the following steps according to the instructions: responding to the joint signature request, and generating a first random number, a second random number and a first temporary private key; wherein the joint signature request carries at least target information to be signed; encrypting the first random number by using the second random number and the first public key according to a preset protocol rule to obtain first ciphertext data; generating a first temporary commitment file about the first temporary public key using the first temporary private key; generating a first certification file about the first ciphertext data and the first temporary commitment file; the preset protocol rule is obtained according to an ElGamal encryption algorithm and a class group encryption algorithm; broadcasting a first data group containing the first ciphertext data, a first temporary commitment file and a first certification file to the outside; receiving a first data group broadcast by other node servers; according to a preset protocol rule and the first data group broadcast by the other node servers, respectively carrying out preset first data interaction with each node server in the other node servers to obtain second intermediate data and third intermediate data; according to a preset protocol rule and the third intermediate data, performing preset second data interaction with other node servers to generate a first part signature in a target digital signature of target information; according to a preset protocol rule, a first random number, target information, second intermediate data and a first partial signature, performing preset third data interaction with other node servers to generate a second partial signature in a target digital signature of the target information; and generating a target digital signature of the target information according to the first partial signature and the second partial signature.

In order to more accurately complete the above instructions, referring to fig. 5, another specific server is provided in the embodiments of the present specification, wherein the server includes a network communication port 501, a processor 502 and a memory 503, and the above structures are connected by an internal cable, so that the structures can perform specific data interaction.

The network communication port 501 may be specifically configured to receive a joint signature request; wherein the joint signature request carries at least target information to be signed.

The processor 502 may be specifically configured to respond to the joint signature request to generate a first random number, a second random number, and a first temporary private key; encrypting the first random number by using the second random number and the first public key according to a preset protocol rule to obtain first ciphertext data; generating a first temporary commitment file about the first temporary public key using the first temporary private key; generating a first certification file about the first ciphertext data and the first temporary commitment file; the preset protocol rule is obtained according to an ElGamal encryption algorithm and a class group encryption algorithm; broadcasting a first data group containing the first ciphertext data, a first temporary commitment file and a first certification file to the outside; receiving a first data group broadcast by other node servers; according to a preset protocol rule and the first data group broadcast by the other node servers, respectively carrying out preset first data interaction with each node server in the other node servers to obtain second intermediate data and third intermediate data; according to a preset protocol rule and the third intermediate data, performing preset second data interaction with other node servers to generate a first part signature in a target digital signature of target information; according to a preset protocol rule, a first random number, target information, second intermediate data and a first partial signature, performing preset third data interaction with other node servers to generate a second partial signature in a target digital signature of the target information; and generating a target digital signature of the target information according to the first partial signature and the second partial signature.

The memory 503 may be specifically configured to store a corresponding instruction program.

In this embodiment, the network communication port 501 may be a virtual port that is bound to different communication protocols, so that different data can be sent or received. For example, the network communication port may be a port responsible for web data communication, a port responsible for FTP data communication, or a port responsible for mail data communication. In addition, the network communication port can also be a communication interface or a communication chip of an entity. For example, it may be a wireless mobile network communication chip, such as GSM, CDMA, etc.; it can also be a Wifi chip; it may also be a bluetooth chip.

In this embodiment, the processor 502 may be implemented in any suitable manner. For example, the processor may take the form of, for example, a microprocessor or processor and a computer-readable medium that stores computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, an embedded microcontroller, and so forth. The description is not intended to be limiting.

In this embodiment, the memory 503 may include multiple layers, and in a digital system, the memory may be any memory as long as binary data can be stored; in an integrated circuit, a circuit without a physical form and with a storage function is also called a memory, such as a RAM, a FIFO and the like; in the system, the storage device in physical form is also called a memory, such as a memory bank, a TF card and the like.

The present specification further provides a computer storage medium based on the above digital signature generation method, where the computer storage medium stores computer program instructions, and when the computer program instructions are executed, the computer storage medium implements: responding to the joint signature request, and generating a first random number, a second random number and a first temporary private key; wherein the joint signature request carries at least target information to be signed; encrypting the first random number by using the second random number and the first public key according to a preset protocol rule to obtain first ciphertext data; generating a first temporary commitment file about the first temporary public key using the first temporary private key; generating a first certification file about the first ciphertext data and the first temporary commitment file; the preset protocol rule is obtained according to an ElGamal encryption algorithm and a class group encryption algorithm; broadcasting a first data group containing the first ciphertext data, a first temporary commitment file and a first certification file to the outside; receiving a first data group broadcast by other node servers; according to a preset protocol rule and the first data group broadcast by the other node servers, respectively carrying out preset first data interaction with each node server in the other node servers to obtain second intermediate data and third intermediate data; according to a preset protocol rule and the third intermediate data, performing preset second data interaction with other node servers to generate a first part signature in a target digital signature of target information; according to a preset protocol rule, a first random number, target information, second intermediate data and a first partial signature, performing preset third data interaction with other node servers to generate a second partial signature in a target digital signature of the target information; and generating a target digital signature of the target information according to the first partial signature and the second partial signature.

In this embodiment, the storage medium includes, but is not limited to, a Random Access Memory (RAM), a Read-Only Memory (ROM), a Cache (Cache), a Hard Disk Drive (HDD), or a Memory Card (Memory Card). The memory may be used to store computer program instructions. The network communication unit may be an interface for performing network connection communication, which is set in accordance with a standard prescribed by a communication protocol.

In this embodiment, the functions and effects specifically realized by the program instructions stored in the computer storage medium can be explained by comparing with other embodiments, and are not described herein again.

Referring to fig. 6, in a software level, an embodiment of the present specification further provides an apparatus for generating a digital signature, which may specifically include the following structural modules.

The first generating module 601 is specifically configured to respond to the joint signature request and generate a first random number, a second random number, and a first temporary private key; wherein the joint signature request carries at least target information to be signed;

the first processing module 602 may be specifically configured to encrypt the first random number by using the second random number and the first public key according to a preset protocol rule to obtain first ciphertext data; generating a first temporary commitment file about the first temporary public key using the first temporary private key; generating a first certification file about the first ciphertext data and the first temporary commitment file; the preset protocol rule is obtained according to an ElGamal encryption algorithm and a class group encryption algorithm;

the broadcasting module 603 may be specifically configured to broadcast a first data group including the first ciphertext data, the first temporary commitment file, and the first certification file to the outside; receiving a first data group broadcast by other node servers;

the second processing module 604 may be specifically configured to perform preset first data interaction with each node server in the other node servers according to a preset protocol rule and the first data group broadcast by the other node servers, so as to obtain second intermediate data and third intermediate data;

the third processing module 605 is specifically configured to perform preset second data interaction with another node server according to a preset protocol rule and the third intermediate data to generate a first part signature in a target digital signature of the target information;

the fourth processing module 606 may be specifically configured to perform preset third data interaction with another node server according to a preset protocol rule, the first random number, the target information, the second intermediate data, and the first partial signature, so as to generate a second partial signature in the target digital signature of the target information;

the second generating module 607 may be specifically configured to generate a target digital signature of the target information according to the first partial signature and the second partial signature.

It should be noted that, the units, devices, modules, etc. illustrated in the above embodiments may be implemented by a computer chip or an entity, or implemented by a product with certain functions. For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. It is to be understood that, in implementing the present specification, functions of each module may be implemented in one or more pieces of software and/or hardware, or a module that implements the same function may be implemented by a combination of a plurality of sub-modules or sub-units, or the like. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

As can be seen from the above, the apparatus for generating a digital signature provided in this specification can efficiently and safely implement a multi-threshold joint signature without revealing private key data held by each node server. The method solves the technical problems of large calculation amount, low processing efficiency, large communication bandwidth and safety risk in the multi-party threshold joint signature of the existing method.

In a specific scenario example, the method for generating a digital signature provided in the present specification may be applied to implement a multi-party threshold ECDSA signature based on class group encryption.

In this scenario example, the signature group with n members (e.g., node servers) is total, and a legitimate signature on a message can be safely and efficiently completed when there are at least t +1 honest participants without revealing respective private keys.

Based on existing methods, for example, [ CCL +20] implements a multi-party threshold ECDSA signature scheme based on class group encryption, but relies on stronger and non-standard assumptions.

In this scenario example, the generation method of the digital signature provided by this specification refers to the overall protocol framework of [ CCL +20] and [ GG18], simplifies the initialization process of interaction in the [ CCL +20] scheme, and uses the Promise Sigma protocol (i.e., a preset protocol rule) to replace the validity proof of the class group ciphertext in the [ CCL +20], which can solve the performance bottleneck, reduce the data processing amount, improve the data processing efficiency, and efficiently implement the multi-party threshold joint signature.

The Promise Sigma protocol used in this scenario example is a plain text equal Promise Sigma protocol.

The plaintext equality may specifically mean: the class group encrypted plaintext is equal to the ElGamal encrypted plaintext. The plain text equivalent Promise Sigma protocol formal language is described as follows:

the specific protocol implementation can be seen in fig. 7.

In this field example, the above interactive protocol may also be converted into a non-interactive protocol using the Fiat-Shamir heuristic in implementing the corresponding data processing by executing the protocol.

When the multi-party threshold ECDSA signature is implemented based on the above protocol, the method can be divided into two stages: a key generation phase and a signature phase.

In the key generation phase, as shown in fig. 4, a public-private key pair of each participant, a public signature key, and a share (share) of a private signature key of each signature participant, which are required for generating the multi-party threshold ECDSA signature according to the above protocol, can be provided. Specifically, in this scenario example, a (t, n) -threshold scheme, where there are n participants in total, a valid signature may be generated when more than t participants agree. A particular process may include the generation of a public signature public key Q (e.g., a public signature key); and generation of public signature public key threshold shards (e.g., threshold shard public keys).

In the signing stage, as shown in fig. 3, preprocessing may be performed first, and the target information m may be signed using the information generated in the key generation stage. The specific process can comprise the generation and encryption of a signature random number; ciphertext homomorphism operations, ciphertext decryption and verification (e.g., validation); and generation of a signature (e.g., a target digital signature).

Through the above scenario example, it is verified that the scheme provided by the present specification, in contrast to the [ CCL +20] scheme, can eliminate the dependence on stronger assumptions and non-standard assumptions, and has different degrees of improvements in performance of both computational efficiency and communication bandwidth. Specifically, the scheme does not need a complex interactive initialization process. In the signature stage, [ CCL +20] needs 8t +16, and the scheme only needs 4t +10 compared with the exponential operation on the class group with the largest influence on the efficiency. Therefore, the efficiency is higher.

Therefore, the scheme provides a new protocol, namely a Promise Sigma protocol, is applied to a digital signature scheme, and designs a safe and efficient multiparty threshold ECDSA signature scheme. Compared with the existing scheme, the method can greatly improve the calculation efficiency and eliminate the dependence of the existing scheme on stronger hypothesis and non-standard hypothesis.

Although the present specification provides method steps as described in the examples or flowcharts, additional or fewer steps may be included based on conventional or non-inventive means. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. When an apparatus or client product in practice executes, it may execute sequentially or in parallel (e.g., in a parallel processor or multithreaded processing environment, or even in a distributed data processing environment) according to the embodiments or methods shown in the figures. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, the presence of additional identical or equivalent elements in a process, method, article, or apparatus that comprises the recited elements is not excluded. The terms first, second, etc. are used to denote names, but not any particular order.

Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may therefore be considered as a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.

This description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, classes, etc. that perform particular tasks or implement particular abstract data types. The specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

From the above description of the embodiments, it is clear to those skilled in the art that the present specification can be implemented by software plus necessary general hardware platform. With this understanding, the technical solutions in the present specification may be essentially embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a mobile terminal, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments in the present specification.

The embodiments in the present specification are described in a progressive manner, and the same or similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. The description is operational with numerous general purpose or special purpose computing system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet-type devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable electronic devices, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.

While the specification has been described with examples, those skilled in the art will appreciate that there are numerous variations and permutations of the specification that do not depart from the spirit of the specification, and it is intended that the appended claims include such variations and modifications that do not depart from the spirit of the specification.

Claims

1. A method for generating a digital signature, the method being applied to a first node server of a plurality of node servers, the method comprising:

2. The method of claim 1, wherein obtaining second intermediate data and third intermediate data by performing preset first data interaction with each of the other node servers according to a preset protocol rule and the first data group broadcast by the other node servers respectively comprises:

3. The method according to claim 2, wherein generating and sending corresponding first type parameter data, second ciphertext data and third ciphertext data to each of the other node servers according to a preset protocol rule and a first data group broadcast by the other node servers comprises:

4. The method of claim 1, wherein generating a first partial signature in a target digital signature of target information by performing a preset second data interaction with other node servers according to a preset protocol rule and the third intermediate data comprises:

5. The method of claim 4, wherein generating a first partial signature of the target digital signature of the target information according to a preset protocol rule, the third intermediate data and the first temporary public key of the other node server comprises:

6. The method of claim 5, wherein calculating the first target data according to the preset protocol rule, the third intermediate data, and the first temporary public key of the other node server comprises:

calculating the first target data according to the following equation:

R＝δ^-1(∑_j∈SΓ_j)

7. The method of claim 1, wherein generating the second partial signature of the target digital signature of the target information by performing preset third data interaction with other node servers according to a preset protocol rule, the first random number, the target information, the second intermediate data and the first partial signature comprises:

8. The method of claim 7, wherein after determining that the third authentication passed, the method further comprises:

accordingly, the method can be used for solving the problems that,

9. The method of claim 7, wherein constructing the second signed component data for the first node server from the first random number, the target information, the second intermediate data, and the first partial signature comprises:

s_i＝k_im+σ_ir

10. The method of claim 1, wherein generating the first random number, the second random number, and the first temporary private key in response to the joint signature request comprises:

receiving confirmation information broadcast by other node servers;

11. The method of claim 1, wherein prior to generating the first random number, the second random number, and the first temporary private key in response to the joint signature request, the method further comprises:

12. The method of claim 11, wherein the first public key comprises: public key data based on an ElGamal encryption algorithm and public key data based on a class group encryption algorithm; the first private key comprises: private key data based on the ElGamal encryption algorithm and private key data based on the class group encryption algorithm.

13. The method of claim 11, wherein generating the threshold shard private key and the threshold shard public key of the first node server according to the preset protocol rule, the preset threshold value and the first partial signature public key comprises:

14. An apparatus for generating a digital signature, comprising:

15. A server comprising a processor and a memory for storing processor-executable instructions which, when executed by the processor, implement the steps of the method of any one of claims 1 to 13.

16. A computer-readable storage medium having stored thereon computer instructions which, when executed, implement the steps of the method of any one of claims 1 to 13.